Regin is a computer worm that infects computers running the Microsoft Windows operating system, discovered by Kaspersky Lab [1] and Symantec in November 2014. According to representatives of Kaspersky Lab, the first messages about this virus appeared in the spring of 2012, and the earliest detected instances date from 2003 [2] (the very name Regin first appeared on the antivirus online service VirusTotal on March 9, 2011 [3] ). Among computers infected with Regin , 28% are in Russia , 24% are in Saudi Arabia , 9% each in Mexico and Ireland , and 5% each in India , Afghanistan , Iran , Belgium , Austria and Pakistan [4] [5 ] .
According to Symantec statistics, 28% of Regin victims are telecoms, 48% are individuals and small businesses , and the remaining 24% of infected computers are owned by state, energy, financial and research companies. Kaspersky Lab specifies that among private individuals this Trojan was particularly interested in those who are engaged in mathematical or cryptographic research [5] .
Content
Description
Regin is a Trojan virus that uses a modular approach that allows it to load the functions necessary to account for the individual characteristics of the computer or network being infected. The structure of the virus is designed for continuous, long-term target monitoring of numerous objects [6] [7] .
Regin does not store data in the file system of an infected computer; instead, it has its own encrypted virtual file system (EVFS), which looks like a single file. EVFS uses the RC5 block cipher option [7] as the encryption method. Regin communicates over the Internet using ICMP / Ping , HTTP-based cookie commands, and TCP and UDP protocols , turning the infected network into a botnet [4] [8] .
Identification and naming
Symantec and Kaspersky Lab define this program as Backdoor.Regin [9] . On March 9, 2011, Microsoft added the corresponding entries to its Encyclopedia of Computer Viruses ( English Malware Encyclopedia [10] [11] ). Later, two more options were added - Regin.B and Regin.C. Microsoft proposes to name the 64-bit versions of Regin Prax.A and Prax.B.
Creators
Computer security experts compare Regin with the Stuxnet virus in terms of complexity and resource-intensiveness of the development, in which connection opinions are expressed that the virus could have been created at the state level (Symantec directly speaks about Western intelligence ) as a multipurpose data collection tool [12] [8 ] [13] .
In its report on the virus, Kaspersky Lab provides statistics on timestamps (marks on when the virus code was updated during development), based on which we can conclude that the Trojan authors work for a full day in the office, even with a lunch break [ 5] .
Notes
- ↑ Regin Revealed . Kaspersky Lab. The appeal date is November 24, 2014.
- ↑ Kaspersky: Regin: a malicious platform for spying on GSM networks Archived copy dated May 30, 2015 on Wayback Machine , November 24, 2014
- ↑ Intercept
- ↑ 1 2 Regin: Top-tier espionage tool enables stealthy surveillance Unidentified . Symantec (23 November 2014). The appeal date is November 25, 2014.
- 2 1 2 3 Regin Trojan: who is spying on GSM via Windows?
- ↑ Regin Malware - 'State-Sponsored' Spying Tool Targeted Govts Unreferenced . The Hacking Post - Latest hacking News & Security Updates .
- ↑ 1 2 NSA, GCHQ or both behind Stuxnet-like Regin malware? (inaccessible link) . scmagazineuk.com (24 November 2014). The appeal date is November 25, 2014. Archived June 16, 2016.
- ↑ 1 2 Regin White Paper . Symantec. The appeal date is November 23, 2014.
- ↑ Symantec: Security Response - 23 November 2014Regin: Top-tier espionage tool enables stealthy surveillance,
- ↑ . Microsoft Malware Protection Center, click button "Malware Encyclopedia
- ↑ Microsoft Protection Center: Trojan: WinNT / Regin.A
- ↑ BBC News - Regin, new computer spying bug, discovered by Symantec . bbc.com. The appeal date is November 23, 2014.
- ↑ Regin White Paper (unavailable link) . Kaspersky Lab. Circulation date November 24, 2014. Archived November 27, 2014.